A forward authentication / authorisation (authN) implementation of Envoy External Authorization (ext_authz), built with Contour, and Pomerium in mind.
This is still under development. It works, but use at your own risk.
Why do I need this?
- You are using an ingress controller
- You want to delegate authN to an external Identity and Access Management (IAM) solution (e.g. Keycloak, OAuth2 Proxy, Pomerium), and have it handle the entire authN flow (with redirects)
- The ingress controller does not directly support OAuth2, OpenID Connect (OIDC) OR any other integration with an external IAM solution you want to use (e.g. it may not implement
ext_authz) - The external IAM solution you want to use supports forward authN
If the answer is "yes" to all the above, this is where forward-ext-authz-service comes in.
It bridges the gap between an ingress controller which only supports ext_authz, and an external IAM solution that does not support ext_authz, but does support forward authN. Specifically, it was built with Contour, and Pomerium in mind.
Even if your ingress controller does support other non-Envoy authN options, you may want to consider using this as an alternative solution so that you can leverage the often simpler ext_authz integration instead.
- Publish Docker image
- Create sample Kubernetes manifests
- Expand docs with diagram of authN flow